Conseil d'État Upholds €40M GDPR Fine Against Criteo: Ad-Tech Compliance Implications

What Happened: Conseil d'État Upholds Landmark €40 Million GDPR Fine

The French Conseil d'État has definitively upheld a €40 million GDPR fine against Criteo, one of the world's largest ad-tech companies. The fine was originally imposed by the French Data Protection Authority (CNIL) following complaints filed in 2018 by privacy organizations noyb and Privacy International. The court rejected Criteo's appeal, which argued that the pseudonymous identifiers used in its tracking activities did not constitute personal data under GDPR.

The court ruled that data is only considered anonymized if the risk of re-identification is insignificant. Since Criteo's system cross-referenced identifiers with IP addresses and browsing data to enable targeted advertising, these identifiers qualified as personal data under GDPR. The violations centered on failure to obtain valid consent, lack of transparency about data processing, and non-compliance with data subject rights to erasure and access.

Why It Matters: Ad-Tech Compliance Risks Under Heightened Scrutiny

This decision comes at a critical time for the ad-tech industry, coinciding with debates over the EU's 'Digital Omnibus' proposal that could potentially narrow the definition of personal data. The ruling reinforces several key compliance risks that organizations must address:

Common Ad-Tech Pitfalls Identified in the Case

• Insufficient Consent Mechanisms: Criteo's consent processes failed to meet GDPR's requirements for being specific, informed, and unambiguous. Many ad-tech companies rely on implied consent or overly broad permissions that do not withstand regulatory scrutiny.
• Data Processing Transparency Gaps: The court found Criteo lacked clear communication about how personal data was collected, used, and shared across its advertising ecosystem. GDPR Article 13 requires transparent information about processing purposes and legal bases.
• Pseudonymization Misunderstanding: The ruling clarifies that pseudonymous data combined with other identifiers (like IP addresses) remains personal data subject to GDPR protections. Organizations cannot assume technical measures alone exempt them from compliance obligations.
• Data Subject Rights Non-Compliance: Criteo failed to properly handle requests for data access and erasure under GDPR Articles 15 and 17. Ad-tech systems must have mechanisms to identify and respond to individual rights requests across complex data flows.

The enforcement trend is accelerating, with CNIL reporting a 10% increase in data breach notifications in 2025. The authority has made cybersecurity and data protection a key strategic focus from 2025 to 2028, with plans to participate in the InCyber Forum from March 31 to April 2, 2026, to provide compliance guidance and emphasize enforcement priorities.

What Organizations Should Do: Practical Compliance Steps

Ad-tech companies and any organization using tracking technologies must take immediate action to mitigate similar compliance risks. Here are practical steps based on the Criteo case findings:

1. Review and Update Data Privacy Policies

• Conduct a comprehensive audit of all data collection points, processing purposes, and third-party sharing arrangements.
• Ensure privacy notices clearly explain how pseudonymous identifiers are used and combined with other data points.
• Map data flows to identify where transparency gaps exist, particularly in programmatic advertising ecosystems.

2. Implement Robust Consent Management

• Deploy consent management platforms that capture granular preferences and maintain audit trails.
• Ensure consent mechanisms are specific to each processing purpose, not bundled as blanket permissions.
• Regularly test consent interfaces for usability and compliance with emerging standards.

3. Conduct Regular GDPR Audits and Assessments

• Perform Data Protection Impact Assessments (DPIAs) for high-risk processing activities, as required under GDPR Article 35.
• Establish processes to respond to data subject requests within the mandated one-month timeframe.
• Review vendor contracts to ensure third-party processors provide adequate GDPR safeguards.

For organizations seeking to automate these processes, platforms like OneTrust and Securiti AI offer solutions for consent management, data mapping, and privacy automation. AIGovHub provides comprehensive GDPR compliance resources to help navigate these requirements.

Conclusion: A New Era of Ad-Tech Accountability

The Conseil d'État's decision marks a significant moment in GDPR enforcement, particularly for the ad-tech sector. With fines reaching €40 million and courts rejecting technical arguments about pseudonymization, organizations must prioritize genuine compliance over minimal adherence. As CNIL prepares to engage with professionals at the 2026 InCyber Forum, the message is clear: data protection authorities are increasing scrutiny of complex data ecosystems.

This ruling should serve as a wake-up call for any company processing personal data for advertising purposes. The compliance landscape is evolving rapidly, with parallel developments in AI governance under the EU AI Act (Regulation (EU) 2024/1689) that may intersect with data privacy requirements. Organizations that proactively address consent, transparency, and data subject rights will be better positioned to avoid similar enforcement actions.

This content is for informational purposes only and does not constitute legal advice.